Hacking risk in Win2000

News

Hacking risk in Win2000

A major vulnerability in Microsoft's Windows 2000 operating system has been revealed by a security firm.

The vulnerability, which could allow hackers to access confidential Web site details, affects Windows 2000 IIS 5.0 Web server software. Illicit hacking groups have already posted software that exploits the vulnerability on the Internet, which is free for anyone to download.

The vulnerability potentially leaves thousands of companies around the world exposed to hacking attacks, according to Marc Maiffret, chief hacking officer at eEye Digital Security, the company that discovered the problem. "This is a very, very serious vulnerability that should be treated with the utmost urgency and priority by network administrators," he said.

The problem lies in the software's printing function, which hackers can exploit using a "buffer overflow" attack. Microsoft has publicly acknowledged the problem and has issued a fix for it.

Microsoft's own Web sites have been successfully attacked using the vulnerability. Graffiti hackers penetrated and defaced several of the company's Web sites last week.

Neil Barrett, technical director at security consultancy Information Risk Management, said the vulnerability underlines the importance of security testing, either in-house or from external experts. "It is better to test the software yourself than to let hackers do it for you," he said.

"This is embarrassing for Microsoft. An important product has been shown to be weak from day one. Buffer overflow problems are simple to program out."

Mark Tennent, Microsoft Windows 2000 product manager, said future versions of the product would avoid this problem.

Lindsay Clark
lindsay.clark@rbi.co.uk

Email Alerts

Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox.
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
 

COMMENTS powered by Disqus  //  Commenting policy